Treffer: Towards combining chain-of-thought and code static analysis for buffer overflow vulnerability detection.

With the widespread use of system software (such as operating systems, compilers, etc.), buffer overflow vulnerabilities have become one of the most common types of vulnerabilities. Due to their dynamics, diversity, and inherent complexity, detecting buffer overflow vulnerabilities has always been a major challenge in the field of software security. To address this issue, this study proposes a buffer overflow vulnerability detection method based on dependency analysis and LLM Chain-of-Thought (COT), named GPTDetector. By performing static analysis on C/C++ programs, GPTDetector can track the data dependencies and control dependencies of specific sensitive information (i.e., threat code) and generate carefully designed prompts for vulnerability detection, thereby helping LLMs infer and identify potential buffer overflow vulnerabilities. Experimental results show that GPTDetector significantly outperforms traditional models in detecting vulnerabilities in the source code of real-world projects, with an F1 score increased by 7.3%-14.6%. [ABSTRACT FROM AUTHOR]

Copyright of Software Quality Journal is the property of Springer Nature and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)